- From: Kris Zyp <kzyp@sitepen.com>
- Date: Mon, 25 Feb 2008 16:37:11 -0700
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "WAF WG \(public\)" <public-appformats@w3.org>
> > There's a new proposal for this: > > http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0219.html > > I think it addresses your concerns. This looks good. It does seem to imply that other request headers may be considered for inclusion in the whitelist. Therefore, I would like to suggest the following additional headers be permitted in the standard whitelist of request headers: Expect - A basic HTTP header that can be useful for checking request before sending a full request >From - This can be voluntarily provided by user agents to identify who the user is Range - To request a partial subset of a resource (with Atom Publishing Protocol this is becoming increasingly useful) XSite-* - I believe we should have a subdomain of allowed custom headers, that both server and client will be mutually aware will not be filtered in cross site requests. I don't believe any of these headers represents a security threat. > No such optimization has been discussion and I'm not sure we should add > it. If this indeed becomes a common pattern we can always optimize later. > (Premature optimization and all...) That sounds reasonable. BTW, I am very excited about this specification, this is really going to open up some exciting possibilities. Good work, Thanks, Kris
Received on Monday, 25 February 2008 23:37:58 UTC